All zammad functionality is working fine except for login/signup with Microsoft
Error:
My nginx reverse proxy config is:
# Settings for a TLS enabled server.
upstream backend
{
server 192.168.99.99:443;
}
server
{
ssl on;
listen 9443 ssl http2 default_server;
ssl_certificate "/etc/pki/nginx/bundle.pem";
ssl_certificate_key "/etc/pki/nginx/private/tpsonline.com.key";
location /
{
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header Host $host;
proxy_pass https://backend;
}
}
}
My nginx config from zammad-helm is:
server_tokens off;
upstream zammad-railsserver {
server localhost:3000;
}
upstream zammad-websocket {
server localhost:6042;
}
server {
listen 8080;
server_name _;
root /opt/zammad/public;
access_log /dev/stdout;
error_log /dev/stderr;
client_max_body_size 50M;
location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) {
expires max;
}
location /ws {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 86400;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_pass http://zammad-websocket;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 180;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_pass http://zammad-railsserver;
gzip on;
gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
gzip_proxied any;
}
}
What could be the reason that only functionality that's not working is sign up with microsoft?
p.s. i did follow these carefully: https://admin-docs.zammad.org/en/3.6/settings/security/third-party/microsoft.html
I did set headers as described in previous zammad issue https://github.com/zammad/zammad/issues/2758#issuecomment-536465142 but still no luck.
Related
The following Nginx config correctly returns /pages/subdomain/index.vue when visiting {tenant}.mysalon.test.
However (!), after 0.5s it automatically changes the view to /pages/index.vue, why?!
The issue dissapears when I remove the second location block location /_nuxt/ {}, but without that block I'm not able to access anything within {tenant}.mysalon.test/_nuxt/, because the _nuxt folder isn't located within /pages/subdomain/ obviously.
How to solve?
GIF: https://imgur.com/a/WfIBYmK
server {
listen 80;
server_name ~^(?<tenant>.+)\.mysalon\.test$;
gzip on;
gzip_types text/plain application/xml text/css application/javascript;
gzip_min_length 1000;
location / {
expires $expires;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header x-Tenant $tenant;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_pass http://127.0.0.1:3000/subdomain/;
}
location /_nuxt/ {
expires $expires;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header x-Tenant $tenant;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_pass http://127.0.0.1:3000/_nuxt/;
}
}
This is my current Nginx server block:
server {
listen 80;
server_name ~^(?<tenant>.+)\.mysalon\.test$;
gzip on;
gzip_types text/plain application/xml text/css application/javascript;
gzip_min_length 1000;
location / {
expires $expires;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header x-Tenant $tenant;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_pass http://127.0.0.1:3000/subdomain/;
}
}
It's a reverse proxy for {tenant}.mysalon.test to http://127.0.0.1:3000/subdomain/.
The issue:
It works correctly, but it returns 404's for everything within {tenant}.mysalon.test/_nuxt/, that's because /_nuxt does not live in the /subdomain/ directory, but in the parent http://127.0.0.1:3000/.
So I added the following:
location ^~ /_nuxt/ {
proxy_pass http://127.0.0.1:3000/_nuxt/;
}
So that even on the subdomains, it can access /_nuxt.
However, this new location block makes the first location block inactive for some reason.
When visiting {tenant}.mysalon.test it returns http://127.0.0.1:3000 instead of http://127.0.0.1:3000/subdomain/.
I can't tell you why your second location block breaks the workflow, I didn't see any problems with this config, but you can try to use single location block and append the /subdomain prefix to the requested URI inside this block if the requested URI doesn't start with /_nuxt/:
location / {
expires $expires;
rewrite ^(?!/_nuxt)(/.*) /subdomain$1 break;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header x-Tenant $tenant;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1m;
proxy_connect_timeout 1m;
proxy_pass http://127.0.0.1:3000;
}
I am trying to host multiple ASP NET Core sites with different domains on Linux, Unbunt 18.04 and using nginx as reverse proxy.
I got error as "duplicate listen options for 80". What is reason for this error and How can I solve this error?
The default nginx conf is:
server {
listen 80;
server_name domain1.com www.domain1.com;
location / {
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 80;
server_name domain2.com domain2.com;
location / {
proxy_pass http://localhost:5005;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
you can create a sigle file for each app...
for domain1.com you can create an archive domain1.com like this:
upstream app1{
server 192.168.1.250:5000;
}
server {
server_name domain1.com www.domain1.com;
listen 80;
#Redirects traffic
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
proxy_pass http://app1;
}
}
for domain2.com you can create an archive domain2.com like this:
upstream app2{
server 192.168.1.250:5005;
}
server {
server_name domain2.com www.domain2.com;
listen 80;
#Redirects traffic
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
proxy_pass http://app2;
}
}
I am searching for days how to configure nginx to work with my application but it is nearly impossible.
what I would like to do
run my application using nginx (v=1.14) as a reverse proxy. My application is a web app written in vaadin (v=7.6.0) and deployed using a Wildfly (v=10). We use keycloak for the authentication (v=4.5.0).
The Problem
when I go to the url of my application, I am redirected to keycloak for the authentication. Then I can authentified and arrive on my webpage, but then I got this error message as a banner:
https://xxx/webuploader/VAADIN/vaadinPush.js?=v=7.6.0 could not be loaded. Push will not work
Indeed, I do not find the vaadinPush.js in the source of the web page (while I can find the vaadinBootstrap.js). But if I copy the url and authentified, I got the javascript from vaadin.
what I think is the cause
I think that something is not well configured between keycloak and nginx leading to a problem of authentication when the application is trying to get the vaadinPush.js.
another possibility is that the vaadinPush.js is not even asked (no trace of it in the console (like 403/404/500 ...)
configuration
nginx.conf
#user nobody;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
server_name uploader.xxx.be;
listen 443; # HTTPS listening port
# SSL Certificates for Uploader.hospital.com
ssl_certificate ../conf/XXX.crt;
ssl_certificate_key ../conf/XXX.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://*hostname*:*port*/webuploader/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $http_host;
proxy_set_header X-Forwarded-Port 443; # must match listen port
proxy_cookie_path /webuploader/ /;
proxy_set_header Cookie $http_cookie;
}
location /webuploader/ {
proxy_pass http://*hostname*:*port*/webuploader/;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'X-Frame-Options' 'sameorigin';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $http_host;
proxy_set_header X-Forwarded-Port 443;
}
location /webuploader/webuploader/ {
proxy_pass http://*hostname*:*port*/webuploader/;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'X-Frame-Options' 'sameorigin';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $http_host;
proxy_set_header X-Forwarded-Port 443;
}
location /webuploader/PUSH {
proxy_pass http://*hostname*:*port*/webuploader/PUSH;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_buffering off;
proxy_ignore_client_abort off;
proxy_read_timeout 84600s;
proxy_send_timeout 84600s;
break;
}
}
server {
# Configuration for Keycloak
server_name auth.XXX.be; #Keycloak External URL
listen 443; # HTTPS listening port
# SSL Certificates for auth.hospital.com
ssl_certificate ../conf/XXX.crt;
ssl_certificate_key ../conf/XXX.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://10.32.1.157:8081/; #Keycloak internal URL
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'X-Frame-Options' 'sameorigin';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $http_host;
proxy_set_header X-Forwarded-Port 443; # must match listen port
proxy_cookie_path / /;
proxy_set_header Cookie $http_cookie;
}
location /webuploader/PUSH {
proxy_pass http://*hostname*:*port*/webuploader/PUSH;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_buffering off;
proxy_ignore_client_abort off;
proxy_read_timeout 84600s;
proxy_send_timeout 84600s;
break;
}
}
}
standalone.xml of Keycloak
<http-listener name="default" socket-binding="http" enable-http2="true" proxy-address-forwarding="true" redirect-socket="https" />
standalone.xml of Wildfly
<realm name="XXX">
<auth-server-url>https://auth.XXX.be/auth/</auth-server-url>
<ssl-required>external</ssl-required>
</realm>
<http-listener name="default" socket-binding="http" enable-http2="true" proxy-address-forwarding="true" redirect-socket="https" />
configuration of my application in Keycloak
Keycloak Configuration
thanks a lot in advance to all of you :)
We have 10 Microservices-based applications. Each of them has about 15 services. So, we have 150 different service URLs for our product.
My question: How to design the Nginx location?
1) One location per application
2) One location per URL
3) Other way
I thinks there are something to trade off.
a. config complexity
b. conflict location issue
c. affection when micro-service refactor
d. nginx.conf size
Could someone give me some guidance or the best practice?
Just to give you an example of one of my own configuration. I cannot say this is the best way to do it, but I did refer/read a lot of blogs before making this up.
worker_processes 1;
events { worker_connections 10000; }
http {
sendfile on;
gzip on;
gzip_http_version 1.0;
gzip_proxied any;
gzip_min_length 999;
gzip_disable "MSIE [1-6]\.";
gzip_types text/plain text/xml text/css
text/comma-separated-values
text/javascript
application/x-javascript;
# List of application servers
upstream company_api_servers {
server company.xxxx.xxxx:port_number;
}
upstream community_api_servers {
server community.xxxx.xxxx:port_number;
}
upstream devices_api_servers {
server devices.xxxx.xxxx:port_number;
}
# Configuration for the server
server {
# Running port
listen 80;
# Proxying the Companies API
location /companies {
proxy_pass http://company_api_servers;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
# Proxying the Communities API
location /communities {
proxy_pass http://community_api_servers;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
# Proxying the Devices API
location /devices {
proxy_pass http://devices_api_servers;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
}